Menu

What will 2013 bring for cyber security?

By Amichai Shulman

First, the good news. We think security will improve for larger, well-funded organizations. In the same way James Q. Wilson introduced community policing, transforming law enforcement, we think a community approach—a sort of security commune—will improve security in the digital realm. Sharing attack information will help remove seeming randomness of attacks.

Second, the bad news:

1. As bigger firms get smarter, we think hackers will choose the path of least resistance—small companies. To date, we’ve seen for-profit hackers pursue small organizations but rarely have we seen government-sponsored (APT) attackers go after the little guys. We think that will change. Small companies contain a lot of data and, in many cases, quality intellectual property. They make for ripe targets.

2. Not surprisingly, we think hackers will continue to get more sophisticated. In 2013, hackers will continue to refine cloud computing for attacks.

4. We think hackers will use a cloud-based model to become more efficient and effective.

Overall, 2013 will also have many headlines reporting breaches. We believe the path and methods, however, will look a bit different.

Trend #1: Government Malware Goes Commercial

Government military research has an influence on the industry. Commercial aviation, for instance, has been heavily influenced by advances in military aircraft. In 2013, we believe this government-driven cascade effect will apply to cyber security. How? The most dynamic change factor in the insider threat landscape in recent years is the evolution of modern malware. The massive introduction of user-owned devices coupled with work-force mobility is giving the “compromised insider” threat an extra weight compared to the more traditional “malicious insider” threat.

We expect two existing trends to take us through 2013:

• Technologies previously attributed to “state sponsored” attacks are going to become commercialized (or commoditized), further blurring the difference between Cyber Crime and Cyber War.

• Devices affected by modern malware (APT), representing a “compromised insider” threat, are going to become a more prominent risk factor than malicious insiders. The 2012 Verizon Data Breach Investigations Report noted malware’s impact: “69% of all data breaches incorporated Malware.” This represented a 20% increase over 2011.

Cloud computing, and in particular, Internet as a service, or IAAS, has become an important piece of modern commercial IT. Amazon EC2, for example, allows versatility and elasticity for organizations (big and small), allowing them to sustain a direct correlation between their business activity volume and IT costs. The same holds true for the hacking community. In 2013, we expect to see a growing use of IAAS by attackers for different activities. There are a number of aspects that make cloud computing an appealing offering for attackers, and, especially those that are profit driven:

• Elasticity – the ability to quickly get hold of a lot of computing resources without too many prerequisites.

• Cost – the ability to closely tie up spending with specific attack campaign and the potential gain.

• Resilience – the use of commercial cloud-computing platforms reduces the ability of defenders to black-list attackers and adds much valued latency to the process of server takedown.

Over the past year we have seen a number of attack campaigns in which attackers were deploying attack servers in Amazon’s EC2 cloud. In particular, this practice is used with respect to fraud and business logic attacks whose network footprint is relatively low per server (and thus hard to detect as a network traffic anomaly). In addition, for DDoS attacks, such cloud offerings become very compelling. Using a stolen credit card number to pay for the cloud service, an attacker can mount a large scale attack from the cloud. The attack can then be carried out for a long enough time period before a preventative action against the attacking servers can be taken.

Finally, expect to see more usage of on demand computing power as attackers obtain larger quantities of unstructured data and find themselves in a need of computing power in order to process their bounty.

The famous criminologist, James Q. Wilson, pioneered the concept of community policing and transformed law enforcement. In this case, police partnered with citizens and business to identify issues that led to crime in order to reduce crime rates. Mr. Wilson’s approach, however, applied to the physical world.

The digital equivalent would encourage organizations to share attack data, and coordinate what they see from an attack standpoint. Today, an attack on one company may seem random. But taken in a broader context, having broader visibility takes the randomness out. Why don’t security professionals do this? Psychologists often assert that “The first step toward change is awareness.” We predict that in 2013 we will see that both business and government parties will be taking the second step of reducing the security deficit, not just by extending their individual defenses, but, more importantly, creating collaborative defenses by sharing individual protection data. In other words, cyber hippies will form security communities.

We expect that, in 2013, attackers will also extend the practice commonly dubbed as APT to smaller businesses.

In 2012, we saw the continuing trend of smaller businesses being hit by cyber criminals. This is a direct outcome of the industrialization of hacking that successfully automated web application attacks. Attackers have learned to exploit and profit from compromised web applications—especially since automation can help uncover poorly protected, smaller companies. Automation and poor protection will assist APT hackers target smaller organizations containing valuable information.

There are two key drivers that put smaller business at the risk of cyber attacks. First is the ability to automate web application attacks from start to end, compiling a list of potential targets, identifying vulnerability and completing the exploit. Second is the ability to profit from such exploits in some way – either directly monetizing data that was captured from the applications (especially PII and payment information) or indirectly by using them as platforms for attacks against consumers.

The big question? How will attackers monetize their activities abusing smaller enterprises? There are two potential directions:

• Financial fraud—In this case, the attackers will require technology for automatic extraction of information from unstructu
red sources.

• Information trading—Requires attackers to obtain technology for the automatic extraction of information from unstructured sources.

Given that both technologies are already being put to use in valid commercial applications and that most hacking is driven by well-funded criminal organizations, we believe that this is a natural evolution of attacks.

In 2012, we witnessed changes in the way that Hacktivism operated. In early 2011, Hacktivist groups were focusing their efforts at specific organizations by methodically analyzing and attacking a targets front end—applications and web pages—and breaking them. In 2012, Hacktivism was down, but not out.

To be effective, Hacktivists need to focus on divulging content or data that can damage their targets. In our February report on Hacktivism, we detailed the process for stealing data from web applications. We think this process will continue, but a new variation will emerge. Specifically, Hacktivists will focus efforts on discovering CMS that are used in public websites via well-established techniques, such as error grabbing and Google dork searches, mapping them to vulnerabilities. Then use automated hacking tools to pull out the database contents as well as sensitive files for public disclosure. This approach, though simple and methodical, will focus on quantity over quality.

For example, the focus of Hacktivist group GhostShellTeam, in the course of 2012, have focused on CMS hacks with automated tools to expose files and data. When looking at the disclosed data, it was very clear that most of the data was captured from a CMS system, and that the extraction method was SQL Injection. How do such attacks work?

1. Identify and collect vulnerabilities in CMS systems via different sources such as exploit-db.com and other exploit databases, some on hacker forums and pastebin.com publications.

2. Using different techniques to map sites that use these CMS systems and versions via error message grabbing, Google dork searches and other techniques.

3. Once identified, the targets may or may not be branched into different Hacktivism campaigns depending on the current agenda of the hacktivist group.

4. An automated tool, such as SQLmap or Havij, is then used to grab the data out of the vulnerable website.

5. Data is disclosed via social networks, usually alongside a long public letter from the group naming and blaming whoever the campaign targets.

Conclusion

“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.” — Wayne Gretzky

Hacking is inherently innovative. This means security teams, like Mr. Gretzky, need to keep their eye on where things are going—not just on where they’ve been. As 2013 approaches, security continues to evolve dramatically from just one year ago.

In general, profiteering hackers will continue to focus on stealing things that make money—data. Meanwhile, government attackers will focus on intellectual property and espionage. If security teams continue to focus and rely on perimeter controls—antivirus, for example—we can expect breaches to continue to dominate headlines.

Today, many attacks are very “noisy” and give clues that an attack is underway. Often, security teams are not able to monitor and control data access across internal networks and servers, making them deaf and blind to the attack. We believe that future trends underscore the need to invest in the right “ears and eyes” to monitor the access of servers, databases and files. With cameras inside the vaults, spotting aberrant behavior will be essential when it comes to stopping attacks.